Linux – Blocking password based logins with usermod, allowing public key logins

linuxssh

The manpage for usermod says this about locking a users account:

   -L, --lock
       Lock a user's password. This puts a ´!´ in front of the encrypted password, effectively disabling the password. You canÂ´t use this option with -p or -U.

I have tried to use this to have a user only log in with the public key, but when I lock the account I get a password prompt.
When I unlock the account again the public key works.

Edited: to make it clear: I want to be able to log in using the key still, and somehow locking the user gives me a password prompt when trying to use the key

Best Answer

As the man page says, this effectively locks the password - as in, it makes it impossible to use the existing password on this account.

It does not disable password-based login - you need to set the correct sshd(8) options for that.

I assume you mean "remotely login via ssh", since I don't know how a public key would be used locally.

Related Solutions

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Ubuntu SSH – How to Set Up SSH with Public Key and Google Authenticator on Ubuntu 14.04.1

Have got it working well, first did:

apt-get install libpam-google-authenticator

In /etc/pam.d/sshd I have changed/added the following lines (at the top):

# @include common-auth
auth required pam_google_authenticator.so

And in /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive
PasswordAuthentication no

Works well and I now receive a "Verification code" prompt after authentication with public key. I am not sure how I would allow authentication with password+token OR key+token, as I have now effectively removed the password authentication method from PAM.

Using Ubuntu 14.04.1 LTS (GNU/Linux 3.8.0-19-generic x86_64) with ssh -v : OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014

Best Answer

Related Solutions

Ssh – How to automate SSH login with password

Ubuntu SSH – How to Set Up SSH with Public Key and Google Authenticator on Ubuntu 14.04.1

Related Topic